Open Modbus TCP Siemens CP

SIMATIC
OPEN MODBUS / TCP

Communication via CP343-1 and CP443-1

Manual

SIMATIC S7
OPEN MODBUS / TCP
Communication via
CP343-1 and 443-1
Manual
Edition 2.1

Preface, Table of Contents

Product Description
1
Mounting
2
Commissioning
3
Function Block MODBUS
4
Transmission Protocol
5
Diagnostics
6
Application Sample
7
Appendices

Literature

Glossary

Safety Precautions and
Warnings

!

!

!

This manual contains warnings, which you should note for your own safety as well as for
the prevention of damage to property. These warnings are indicated by means of a triangle
and displayed as follows in accordance with the level of danger:
__________________________________________________________________
Danger
indicates that loss of life, severe personal injury or substantial damage
will result if proper precautions are not taken.
__________________________________________________________________
__________________________________________________________________
Warning
indicates that loss of life, severe personal injury or substantial damage can result if proper
precautions are not taken.
__________________________________________________________________
__________________________________________________________________
Caution
indicates that minor personal injury or property damage can result if proper precautions are
not taken.
__________________________________________________________________
__________________________________________________________________
Notes
call attention to information that is especially significant to the product, handling of the
product or a specific part of this documentation.
__________________________________________________________________
Qualified
Personnel
The equipment may be commissioned and put into operation by qualified personnel only.
For the purpose of safety relevant warnings of this manual a qualified person is one who is
authorized to commission, ground and tag devices, systems and circuits.
Use as prescribed
!

Trademarks
Please note the following:
_________________________________________________________________________
Warning
This equipment must only be used in applications as prescribed in the catalogue and the
technical description and in conjunction with equipment and components recommended and
authorized by Siemens.
Successful and safe operation of this equipment is dependent upon proper transport, and
storage, erection and installation as well as careful operation and maintenance.

SIMATIC
and SIMATIC NET
are registered trademarks of SIEMENS AG.

The other brand names in this manual may be trademarks use of which by third parties for
their purposes may infringe the proprietors rights.

Copyright Siemens AG 2004 All Rights Reserved
This document may not be circulated nor reproduced; its contents may
not be utilized or passed on without explicit permission. Infringement
will result in indemnification. All rights reserved, in particular in the
event of a patent grant or GM entry.

Exclusion from Liability
We have checked the contents of this document with regard to
conformity to the described hardware and software. Deviations,
however, cannot be excluded; therefore we cannot accept prejudice
for its complete conformity. The information in this document is
checked regularly and necessary corrections are contained in
subsequent issues. Any suggestions for improvement are gratefully
received.
Siemens AG 2004
We reserve the right to make technical changes.

Preface
Preface
Purpose of the
Manual
The information in this manual allows you to set up and put in operation the
connection between the CP 343-1/CP 443-1 and a device that supports the
Open MODBUS/TCP protocol.
Contents of the
Manual
This manual describes the function of the function block MODBUS and the
integration into the hardware and software of the communications processor
CP 343-1/CP 443-1.
The manual contains the following topics:
Production description / Mounting /
Commissioning / Installation / Parameterisation
Function block
Transmission protocol
Diagnostics
Application sample
Scope of this
Manual
This manual is valid for the following software:

Product Identification number From version
FB OPEN MODBUS / TCP 2XV9 450-1MB00 2.1

Note
This manual contains the FB description, as it is valid at the time of
publication

How to Access the
Information in this
Manual

To enable you a quick access to selected information, the manual provides
the following access aids:
The next pages contain a complete table of contents.
OPEN MODBUS / TCP communication via CP343-1 and 443-1
2XV9450-1MB00; Manual edition 2.1
1
Preface
Additional
Sources of
Information

All additional information concerning CP 343/CP 443 (mounting,
commissioning etc.) can be found in the manual
SIEMENS
SIMATIC NET
S7-CPs for Industrial Ethernet
device manual C79000-G8900-C155
SIEMENS
SIMATIC NET
device manual part B1
CP 343-1 / CP 343-1EX20
C79000-G8900-C158
SIEMENS
SIMATIC NET
device manual part B4
CP 443-1
C79000-G8900-C152
SIEMENS
SIMATIC NET
NCM S7 for Industrial Ethernet
manual C79000-G8900-C129

Additional information concerning STEP7 can be found in the following
manuals:
SIEMENS
SIMATIC Software
Base software for S7 and M7
STEP7 user manual
C79000-G7000-C502-..
SIEMENS
SIMATIC Software
System software for S7-300/400
System and standard functions
Reference manual C79000-G7000-C503-02

Additional
Questions
If you have further questions regarding the use of the FBs described in this
manual, which are not answered in this document, please contact your
Siemens partner who supplied you with this function block.
Terminology This document uses the term CP or CP 343/CP 443. The descriptions only
apply to communications processor CP 343-1/CP 443-1.
Scope of
Application
The function block described in this manual establishes a connection
between the CP 343-1/CP 443-1 and third party MODBUS devices.
2
Table of contents

Table of Contents
1 Product Description....................................................................................................... 1-1
1.1 Field of Applications.......................................................................................... 1-1
1.2 Hardware and Software Prerequisites.............................................................. 1-1
2 Mounting......................................................................................................................... 2-1
2.1 Interface Connection ........................................................................................ 2-1
3 Commissioning .............................................................................................................. 3-1
3.1 Installing the Library on the STEP7 PG/-PC .................................................... 3-1
3.2 Configuration of the Communication Link ........................................................ 3-2
3.3 Parameterisation of the CP .............................................................................. 3-3
3.4 Network Configuration...................................................................................... 3-4
3.5 Insertion of the Function Blocks into the Program............................................ 3-6
3.6 Start_up Characteristics of CP343 / CP443..................................................... 3-7
4 Function Block MODBUS.............................................................................................. 4-1
4.1 Functionality of the FB...................................................................................... 4-1
4.2 Parameters of the Function Block MODBUS ................................................... 4-3
4.3 Data and Standard Functions used by the FB ............................................... 4-10
5 Transmission Protocol .................................................................................................. 5-1
5.1 Overview........................................................................................................... 5-1
5.2 Function Code 03 ............................................................................................. 5-3
5.3 Function Code 16 ............................................................................................. 5-4
5.4 Exception Code Telegram................................................................................ 5-5
5.5 Further Sources of Information......................................................................... 5-5
6 Diagnostics..................................................................................................................... 6-1
6.1 Diagnostics via the Display Elements of the CP .............................................. 6-1
6.2 Verification by the FB MODBUS....................................................................... 6-2
6.3 Diagnostic Messages of the FB MODBUS....................................................... 6-5
i
Table of contents
6.4 Diagnostic Messages of included FCs/SFCs ................................................... 6-8
6.5 Diagnostic Messages of SFC24 ....................................................................... 6-8
7 Application Sample........................................................................................................ 7-1
7.1 Programming Example CP is Client ................................................................. 7-3
7.2 Programming Example CP is Server................................................................ 7-7
A Literature............................................................................................................................ 1
ii
Product description
1 Product Description
1.1 Field of Applications
Placement in the
System Environ-
ment
The driver described here is a software product for the Communications
Processor CP 343-1/CP443-1.
The CP 343-1 can be used in the SIMATIC S7-300 automation system and
can establish communication links to partner systems.
CP 443-1 can be used in the SIMATIC S7-400 automation systems and can
establish communication links to partner systems.
Function of the FB This function block enables a communication link between CP 343-1 /
CP 443-1 and a device that supports the Open MODBUS/TCP protocol.
Thereby Conformance Class 0 is applied. Data transmission is carried out
following the Client-Server principle.
The SIMATIC S7 can act as both client and server during the data
transmission.
In operating mode server the functionality multitasking according to the
MODBUS reference is not implemented.
TCP/IP with
CP343-1 / CP443-1
TCP/IP with CP 343-1 and CP434-1 uses static connections. The TCP
connection is not disconnected during operation.
Network configuration of STEP7 enables only a unique use of a specific
port number, when using TCP native stack of the CP. Therefore the CP/FB
is not capable to be addressed from different devices by the same port
number.
1.2 Hardware and Software Prerequisites
Usable Modules The function block is executable on CP 343-1 with
part number MLFB 6GK7 343-1EX11-0XE0.
The function block is executable on CP 443-1 with
part number MLFB 6GK7 443-1EX11-0XE0.
Software Versions The usage of the FB MODBUS is possible with STEP7 Version 5.1 or higher
with the option NCM S7 for Industrial Ethernet.
Memory
requirements
The FB MODBUS requires 8800 byte work memory and 9886 byte load
memory.
1-1
Mounting
2 Mounting
2.1 Interface Connection
General
Information
An Industrial Ethernet connection to a subsystem can be established. The
connection of the CP to Industrial Ethernet is possible via Bus coupler or a
Twisted pair connection.
Bus Coupler
(Transceiver) via
AUI-Connection
The CP produces and supplies the required voltage for the Bus Coupler.

Transceiver cable
Plugable cable 727-1
Bus coupler

Industrial Twisted
Pair Connection
e. g via OSM
When using the Industrial Ethernet installation instructions according to the
following diagram the CP will recognize the Twisted Pair and automatically
change to it.

E. g. Optical Switch
Module (OSM)
ITP installation cable
2-1
Mounting
Twisted Pair
Connection via
RJ45connector
In an environment with low EMC pollution like offices and switchboards, the
CP can be connected to the Ethernet using a Twisted Pair cable with a RJ-45
connector.

E. g. Optical Switch
Module (OSM)

Additional
Information

Note
An AUI/ITP connector or a TP connector may be connected for a flawless
connection.
When hardware is changed (a cable is disconnected and plugged to another
interface) during the run mode it is possible that the new connection (change)
is not recognized. Therefore, the device must be turned off before you change
the interface.

2-2
Commissioning
3 Commissioning
General
Information
The configuration of the CP 4431/CP 3431 is possible via MPI or
LAN/Industrial Ethernet.
STEP7 is required with NCM S7 for Industrial Ethernet (shortly named NCM
IE).
The information below about STEP7 and the communication link configuration
refers to STEP7 Version 5.1 and NCM S7 Industrial Ethernet Version 5.1.
In later versions, the sequences, names and directories might be different.
Requirements Knowledge of AWL and basic knowledge of STEP7 and PLC.

3.1 Installing the Library on the STEP7 PG/-PC
What We Provide
You
The library with the Function blocks for your S7 project can be found on the
enclosed CD.
The CD additionally contains this documentation in electronic format and a
sample STEP7 project.
Requirements To install, STEP7 must be installed together with the option NCM S7 for
Industrial Ethernet.
Installation The insertion of the block takes place as follows:
1. Insert CD into your PG/PC.
2. Copy the folder Modbus_TCP from the CD into the directory
Siemens\S7libs\.
Result: The library is installed in the following directory:
Siemens\S7libs\Modbus_TCP.
To access the library use the browse function of the open dialog for libraries.
3-1
Commissioning
3.2 Configuration of the Communication Link
Introduction The configuration of the communication link consists of the order of the
hardware in the configuration table using HW Config. You do the
configuration using STEP7 software.
For an Industrial Ethernet link, the SIMATIC 400-Station,
SIMATIC 300-Station, the communication partner and the
Industrial Ethernet-network must be configured.
S7 Project Before you can do the configuration, you must have created a new S7
Project on STEP7.
Project
Components
Insert the necessary project components with SIMATIC-Manager into the
opened project: SIMATIC-Station, Other Station, Industrial Ethernet network.
Before each insertion, click on the opened project to select it.
SIMATIC 300-Station
Insert Station SIMATIC 300-Station
for your S7 Program (Rack, PS, CPU, CP343-1, ...),
Insert Station Other Station
for the communication partner
Insert Subnet Industrial Ethernet
for an Industrial Ethernet network between the SIMATIC 300 -Station and the
communication partner.
SIMATIC 400-Station
Insert Station SIMATIC 400-Station
for your S7-Program (Rack, PS, CPU, CP443-1, ...),
Insert Station Other Station
for the communication partner,
Insert Subnet Industrial Ethernet
for an Industrial Ethernet network between the SIMATIC 400-Station and the
communication partner
Configure
Hardware
The configuration of the hardware includes the selection of the hardware
components and its characteristics.
SIMATIC 300-Station
By selecting the SIMATIC 300-Station and double clicking on Hardware (or
Edit Open object) HW Configuration is started. With Insert Hardware
components insert from SIMATIC 300 a RACK-300, a PS-300, a CPU-300,
and from CP-300 the CP Industrial Ethernet CP 343-1 with the appropriate
order numbers.
The procedures for configuring S7 300-devices are described in detail in the
user manual of STEP7.
3-2
Commissioning
SIMATIC 400-Station
By selecting the SIMATIC 400-Station and double clicking Hardware (or
Edit Open object) HW Config will be started. With Insert Hardware
components insert from SIMATIC 400 a RACK-400, a PS-400, a CPU-400,
and from CP-400 the CP Industrial Ethernet CP 443-1 with the appropriate
order numbers.
The procedures for the configuration of S7 400-devices are described in detail
in the users manual for STEP7.
3.3 Parameterisation of the CP
Parameterisation
of the CP

After the devices are arranged on your rack with HW Config they have to be
parameterised.
The parameterisation window of the CP 343-1 or CP 443-1 can be started in
HW Config by double clicking the CP or selecting the CP and clicking the
menu item Edit Object properties.
Properties CP343-1 General / Properties CP443-1 General
Click on tab General, then select Properties (single click). This will open
the Ethernet interface window.
Here you can enter the IP Address and the Subnet Mask of the CP. If you
have your stations connected with each other without a router, then they have
to be within the same subnet.
In the field Subnet connect the CP with the Industrial Ethernet. In order to do
that, select the entry with the name of your network. For newly created
networks this is normally Ethernet(1)
After the successful parameterisation you will be back in the dialog box,
Properties CP343-1 or Properties CP443-1. Here click on OK to finish
the parameterisation of the CP and you will be back in the dialog box HW
Config.
Save and Compile the parameterisation and close HW Config. You will be
back in the main menu of the STEP7 project.
Parameterisation
of the
Communication
Partner
After you have inserted the communication partners station into your STEP7
project (as described in Project components: Insert Other station) you
have to specify the object properties of the external station.
Starting from the STEP7 project, you can select the communication partner
(Other station) by clicking it.
3-3
Commissioning
Select the menu item Edit Object Properties.
This opens the dialog box Properties Other Station.
1) Properties Other Station Interfaces
On the tab Interfaces click on New. In the upcoming selection, select
Industrial Ethernet and click on OK.
This opens a dialog box Properties Ethernet Interface. Enter an IP
Address that is in the same subnet as the communication partners station.
The subnet mask should be the same as the one of the partners station.
Select the associated subnet that connects the CP interface with the
communication partners interface.
Click on the OK button. This will bring you back to the tab Interfaces.
2) Properties Other StationGeneral
In tab General you do not have to make any settings.
Click on the OK button and you will be back in the main menu of the STEP7
project.
An external station can have multiple interfaces (= Ethernet devices) and may
be connected to different Ethernet connections.
3.4 Network Configuration
Communications
Connection
The CP is the link for the Industrial Ethernet connection between the S7-CPU
and the communication partner / bus. A connection configuration must be
made for the connection of the interfaces to the communication partner / bus.
Configure Network In the STEP7 project, select the CPU in your S7 300/S7 400-Station and open
Network configuration by double clicking Connections. This opens the
program NetPro with which your connections can be configured.
After selecting Insert New Connection... the dialog box Insert new
connection will come up. Select the connection partner (Other Station) for the
new connection and use TCP Connection for the connection. Put a check
mark on Show properties dialog
Click OK. This will take you back to the dialog box Properties TCP
connection.
3-4
Commissioning
Object Properties
of the Connection
An ID is provided. You can change the ID if needed.
Click on the button Routing and the configured connection will be shown.
The MODBUS client normally does Active connection establishment.
In the register Addresses the port numbers are defined.
Click on OK and the inputs are accepted.
Save the network configuration and close the program NetPro.
Please note that the connection ID (Local ID) has to be used when the FB is
called in the user program.
Selection of the
Port Number
In a MODBUS communication a MODBUS server are normally addressed via
port 502, whereas a MODBUS client uses a port different to 502.
Unspecified
Connection
If you have got a communication with S7 as MODBUS server, and you did not
know the port number of the client, the communication can be set up as
unspecified connection. But the client has to meet the requirement of active
connection establishment.
You do not need an other station in your S7-project.In that case. After
selecting Insert New Connection... the dialog box Insert new connection
will come up. Select here unspecified instead of the communication partner
and use TCP Connection for the connection. Put a check mark on Show
properties dialog
Click OK. This will take you back to the dialog box Properties TCP
connection.
Active connection establishment must not be activated, in the register
addresses all information regarding the partner, IP and PORT are left
blanc.
Click on OK and the inputs are accepted.
3-5
Commissioning
3.5 Insertion of the Function Blocks into the Program
Insertion of the
MODBUS FBs
In order to exchange data with MODBUS devices, you need the function block
MODBUS. To be able to insert this into your project you have to copy the
function block from the library. For that, open the library Modbus_TCP by
selecting the menu item File Open.... In the dialog box Open Project
select the tab Libraries. Select the library Modbus_TCP using the
Browse-Button and click OK.
This opens the library. Select the function block FB100 (MODBUS) and copy
it via Edit Copy.
Then change back to your project by selecting Window Your project.
In the Step7 project, in your opened S7 300/S7 400-Station, select the CPU.
Double click S7-program, and then Blocks.
This will open the Blocks folder.
Select Edit Paste. This will insert the block into your program.
Insertion of the
Communication
Blocks
The function block MODBUS uses the function blocks AG_SEND and
AG_RECV or AG_LSEND and AG_LRECV in S7-400. These should be
inserted into your program. You can find these communication function blocks
in the library SIMATIC_NET_CP which are included in the software package
NCM S7 for Industrial Ethernet. Open the library by selecting File Open
.... In the dialog box Open Project select the tab Libraries. Select the
library SIMATIC_NET_CP and click OK.
This will open the library.
CP 300 For CP 300 family open the folder CP 300 by double clicking it. Select the
function FC5 (AG_SEND) and FC6 (AG_RECV) and copy it with Edit
Copy. Then change back to your project by selecting Window Your
Project.
Select in the STEP7 project in your opened S7 300-Station the CPU. Open
the Blocks folder by double clicking S7-Programm and then Blocks.
With Edit Paste, insert the function block into your program.
3-6
Commissioning
CP 400 For CP 400 family, open the folder CP 400 by double click. Select the
function FC50 (AG_LSEND) and FC60 (AG_LRECV) and copy it with Edit
Copy. Then change back to your project by selecting Window Your
Project.
Select in the STEP7 project in your opened S7 400-Station the CPU. Open
the Blocks folder by double clicking S7-Programm and then Blocks.
With Edit Paste, insert the function block into your program.

Please note, that the following versions of the FCs are a prerequisite for the
faultless function of the FB MODBUS:
S7/400: AG_LSEND V3.0 or higher
AG_LRECV V3.0 or higher
S7/300: AG_SEND V4.2 or higher
AG_RECV V4.7 or higher
3.6 Start_up Characteristics of CP343 / CP443
Introduction The start up of the CP is divided into the following phases:
Initialisation (Power on of the CP)
Parameterisation
Initialisation As soon as the CP is connected to power, the hardware self test runs. The
firmware of the CP is set up for operation.
Parameterisation During parameterisation the CP receives the device parameters that are
assigned to its slot.
The CP is now ready for operation.
3-7
4 Function Block MODBUS
4.1 Functionality of the FB
General
Information
The function block MODBUS allows a communication between a CP443-1 or
CP 343-1 and a partner, which supports conformance class 0 of Open
MODBUS/TCP.
Depending on the parameterisation the FB can be operated both in client and
in server mode.
In the operating mode server functionality multitasking according to the
MODBUS reference is not implemented.
The function block performs the following functions:
Calls the standard functions for the data transfer between the CPU
and the CP
Generates MODBUS specific telegram header before send
Verification of the MODBUS specific telegram header after receive
Verification if the memory areas exist which are requested by the
client
Generate exception telegrams when failures occur (only when CP is
in server mode)
Data transfer to and from the parameterised DB
Timeout monitoring of the data receipt
Call of the FB The function block has to be called both in the start up OB100 as well as in
the cyclic OB1.
It is not allowed to call FB MODBUS in cyclic interrupt organisation blocks
(e. g. OB35).
Start Up of the FB The function block MODBUS should unconditionally be called once in OB100.
The initialisation parameters must be set according to the station
configuration. They will be copied into the instance DB.
The runtime parameters are not evaluated during start up.
Cyclical Operation
of the FB
In cyclical operation the FB MODBUS is called in OB1. According to the
runtime parameters, the functions of the function block are activated. While a
request is running changes to the runtime parameters are ignored.
In the cyclical operation initialisation parameters are ignored.
4-1
Initiate Request
CP is Client
A rising edge at the trigger input ENQ_ENR initiates a request. Depending on
the input parameters UNIT, READ/WRITE, START_ADDRESS, LENGTH and
TI a MODBUS request telegram is generated and sent to the partner station
via the TCP/IP connection. The client waits for the parameterised monitoring
time MONITOR for a response from the server.
When the monitoring time elapses (no response from the server) the
activated request is terminated with an error. A new request can be initiated
again.
After the receipt of the response telegram a validity check is carried out. If the
result is positive, necessary actions will be taken and the request will be
terminated without error. The output DONE_NDR is set. When an error is
recognised during verification, the request is terminated with an error, the
ERROR bit is set and an error number is returned in STATUS.
Activation of the
Function Block
CP is Server
With TRUE signal at the trigger input ENQ_ENR the FB is ready for receiving
a request telegram from the client. The server remains passive.
The received telegram is verified. If the telegram is verified positive, the
response telegram is sent. The completed transmission is reported to the
user by setting the DONE_NDR bit.
At this point the completed function is indicated at the outputs
START_ADDRESS, READ_WRITE, LENGTH, UNIT and TI.
A faulty request telegram causes an error message and the ERROR bit is
set. The error number is returned in STATUS. The request of the client is not
answered.
Data Transfer
CPU CP
The data transfer between CP and CPU are done with the standard function
blocks AG_SEND and AG_RECV.
At the activation of a MODBUS request by the client (CP is server) or at the
receipt of a telegram from the client (CP is server) the standard blocks
necessary for the CP are called by the FB in the right order and number.
At the receipt of a telegram, the first 6 Bytes are read with the function
AG_RECV. This header contains the length of the rest of the telegram. A
second call of the AG_RECV function follows with the rest of the telegram
length. The verification of the received data takes place after the complete
receipt of the data.
TCP/IP with
CP343-1 / CP443-1
TCP/IP with CP 343-1 and CP434-1 uses static connections. The TCP
connection cannot be disconnected while in run mode.
Given this system characteristic, telegrams might be lost under unfavourable
conditions when the synchronisation had been lost after an error. The function
of the FB in these situations is described in chapter 6.
4-2
4.2 Parameters of the Function Block MODBUS

Parameter Decl. Type Description Value range Init
ID IN WORD Connection-ID as per configuration
1 to 64
W#16#1 to
W#16#40
yes
LADDR IN WORD LADDR-Address from HW Config CPU
dependent
yes
TIMER_NR IN TIMER Timer number for response monitoring
time
CPU
dependent
yes
MONITOR IN WORD Monitoring Time: Wait for data from
communication partner; 100 ms units
1 to 999
W#16#1 to
W#16#3E7
no
DB_1 IN WORD Data block number, first range
1 to 65535
W#16#1 to
W#16#FFFF
yes
START_1 IN WORD First MODBUS register address
0 to 65535
W#16#0000 to
W#16#FFFF
yes
END_1 IN WORD Last MODBUS register address
0 to 65535
W#16#0000 to
W#16#FFFF
yes
DB_2 IN WORD Data block number, second range;

NULL if not used
1 to 65535
W#16#1 to
W#16#FFFF
0
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
DB_3 IN WORD Data block number, third range;

NULL if not used
1 to 65535
W#16#1 to
W#16#FFFF
0
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
4-3
DB_4 IN WORD Data block number, fourth range;

NULL if not used
1 to 65535
W#16#1 to
W#16#FFFF
0
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
DB_5 IN WORD Data block number, fifth range;

NULL if not used
1 to 65535
W#16#1 to
W#16#FFFF
0
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
0 to 65535
W#16#0000 to
W#16#FFFF
yes
WRITE_
PROTECT1
IN BOOL Area 1 is write protected (only in SERVER
mode)
TRUE
FALSE
yes
WRITE_
PROTECT2
mode)
TRUE
FALSE
Yes
WRITE_
PROTECT3
mode)
TRUE
FALSE
yes
WRITE_
PROTECT4
mode)
TRUE
FALSE
yes
WRITE_
PROTECT5
mode)
TRUE
FALSE
yes
ENQ_ENR IN BOOL CP is Client:
Initiate request at TRUE signal
CP is Server:
Ready to receive at TRUE signal
TRUE
FALSE
no
SERVER_
CLIENT
IN BOOL CP/FB operates in server mode
or client mode
TRUE
FALSE
yes
DONE_NDR OUT BOOL CP is Client:
Active request finished without errors
CP is Server:
Request from the client was executed and
answered
TRUE
FALSE
no
ERROR OUT BOOL An error has occurred. TRUE
FALSE
no
STATUS OUT WORD Error number 0 to FFFF no
4-4
START_
ADDRESS
IN/
OUT
WORD MODBUS start address
(INPUT if in CLIENT mode, OUTPUT if in
SERVER mode)
0 to 65535
W#16#0000 to
W#16#FFFF
no
LENGTH IN/
OUT
BYTE Number of registers to be processed
SERVER mode)
Read function

Write function

1 to 125
B#16#1 to
B#16#7D
1 to 100
B#16#1 to
B#16#64
no
WRITE_
READ
IN/
OUT
BOOL Read or write access
SERVER mode)
TRUE
FALSE
no
TI IN/
OUT
WORD Transaction Identifier
SERVER mode)
0 to 65535
W#16#0 to
W#16#FFFF
no
UNIT IN BYTE Unit identification
SERVER mode)
0 to 255
B#16#0 to
B#16#FF
no

General
Information
The parameters of the FB MODBUS can be divided into two groups:
Initialisation parameters
Runtime parameters
Initialisation parameters are evaluated only during the initial execution of
the function block MODBUS and taken over into the instance DB. They are
marked in the above table in the column INIT with yes.
A modification of the initialisation parameters during run mode has no impact.
After a modification of these parameters (e. g. during the test phase), the
instance DB must be initialised again via a STOP RUN transition of the
CPU.
Runtime parameters can by modified during the cyclical operation. It is not
advised to modify the input parameters while a request is active. Wait with the
preparations for the next request and the change of the parameters until the
previous request ends with DONE_NDR or ERROR.
The output parameters should only be evaluated when DONE_NDR is TRUE.
Range of Values For the range of values of the different parameters, CPU specific restrictions
must be taken into consideration.
4-5
ID For each configured connection in STEP7 a connection ID is assigned. The
connection ID identifies unambiguously the connection from the CPU via the
CP to the communication partner.
The number from the connection configuration has to be entered here.
The range of values for this parameter depends on the CPU.
LADDR The parameter LADDR is the base address of the CP from HW Config (input
address). The configured value has to be entered here.
The range of values for this parameter depends on the CPU.
The parameters ID and LADDR can also be taken from the dialog box
Properties of TCP Connection.
TIMER_NR This specifies the particular timer, which realizes the monitoring time
MONITOR.
The range of values for this parameter depends on the CPU. Any other
program must not use this timer.
MONITOR The monitoring time MONITOR observes the data input from the
communication partner. The monitoring time can be set in 100 ms intervals. A
monitoring time of approximately 1,5 second is recommended.
In the operating mode CP is client MONITOR specifies the timeout for the
receipt of the complete response telegram from the server. When the
monitoring time elapses, the active request is cancelled with an error. The
timer is started after the completed send of the request telegram and is
stopped after the receipt of the complete data.
In the operating mode CP is server the receipt of the second part of the
telegram is monitored with the MONITOR time. When the time elapses an
error is reported. The timer is started after the receipt of the MODBUS specific
telegram header and is stopped after the receipt of the complete request
telegram.
DB_x
START_x
END_x
The FB offers 5 memory areas for mapping the MODBUS register addresses
in the S7 storage. One data area must be defined at minimum. The other 4
data areas are optional. Depending on the type of request, those memory
areas are read or written.
With one request only one DB can be accessed. Even if consecutive register
numbers are located in two different DBs, you need two requests to access
them. This has to be taken into account during parameterisation.
In the operating mode CP is Client 3 parameters are required: DB_x,
START_x und END_x. In the operating mode CP is Server the parameter
WRITE_PROTECTx is required additionally.
The parameter DB_x specifies the DB, into which the below defined
MODBUS registers are mapped. START_x specifies the first memory
address, which is stored in word 0 of the DB. END_x defines the address of
the last MODBUS register.

4-6
The number of the data word of the S7 DB in which the last register is
mapped, can be calculated with the following formula:
DBW number = (END_x START_x) 2
If 0 is entered for DB_x, the respective memory area is not used.
The defined memory areas must not overlap. The parameter END_x must not
be smaller than START_x. In case of an error the initialisation of the FB is
stopped with an error.
Following you can find an example of the mapping of the MODBUS
addresses to S7 memory areas.
WRITE_
PROTECTx
Memory areas can be set write protected in the operating mode CP is
Server. That ensures that the client cannot write to certain memory areas of
the S7.
For each memory area there is a separate write protection flag. Write
accesses to locked memory areas initiate an Exception Telegram.
ENQ_ENR Operating mode CP is Client:
The data transfer is initiated with a TRUE signal at the input. The request
telegram is generated with the values of the input parameters UNIT,
READ/WRITE, START_ADDRESS, LENGTH and TI. A new request may only
be initiated, when the previous one is ended with DONE or ERROR.
Operating mode CP is Server:
The FB is activated with a TRUE signal at the input. Telegrams from the client
can be received. With a FALSE signal at the input data is received from the
CP and discarded.
SERVER_CLIENT This parameter differentiates the client from the server mode. If the input is
TRUE, then the operating mode is CP is Server.
If the input is FALSE, then the operating mode is CP is Client.
DONE_NDR The parameter DONE_NDR indicates an error free execution of the request.
In the operating mode CP is Client the activated request was executed
without error. For a read function the response data from the server has
already been entered into the DB. For a write function the response to the
request telegram has been received from the server.
In the operating mode CP is Server this output indicates a telegram
exchange without errors. In the parameters READ_WRITE,
START_ADDRESS and LENGTH the request parameters of the client are
displayed. These outputs are only available and valid as long as DONE_NDR
is TRUE.
ERROR When this output is set, an error was recognized.
In the operating mode CP is Client the activated request was ended with an
error. The error number is displayed in the STATUS output.
4-7
In the operating mode CP is Server an error is detected at a request
telegram of the client or at sending a response telegram. The error number is
displayed in the STATUS output.
STATUS The STATUS output displays the error number when ERROR is TRUE. The
error numbers are described in chapter 6.
START_ADDRESS The parameter START_ADDRESS specifies the first MODBUS register that is
read or written. In the operating mode CP is Client it is an input parameter,
in the operating mode CP is Server it is an output parameter.
LENGTH The parameter LENGTH specifies the number of MODBUS registers that are
read or written. In the operating mode CP is Client it is an input parameter.
In the operating mode CP is Server it is an output parameter.
For read functions, a maximum of 125 registers is possible per telegram. For
write functions a maximum of 100 registers is possible. All registers have to
be in the same DB per telegram.
WRITE_READ This parameter defines if a read or write function should be carried out. If the
value of the input/output is FALSE, it specifies the read mode. The value
TRUE specifies the write mode. In the operating mode CP is Client it is an
input parameter. In the operating mode CP is Server it is an output
parameter.
TI The parameter TI, Transaction Identifier is copied by the server from the
request telegram to the respond telegram according to the MODBUS
specification.
In the operating mode CP is Client it is an input parameter. The FB copies
this value to the request telegram and verifies when the respond telegram is
received.
In the operating mode CP is Server it is an output parameter. The FB copies
this value from the request telegram to the respond telegram.
The Transaction Identifier is used for identification of telegrams, respectively
the correlation of request and respond. The FB MODBUS can only do this
correlation if the TI is changed with each transaction. A changed TI can only
solve some special situations caused by TCP. A reliable operation of the FB
can be obtained with a changed TI. Therefore we recommend to increment
the TI by 1 with any request.
UNIT In mode CP is Client the parameter UNIT is an input parameter. This input
has to be set according to the requirements. The FB copies this value to the
request telegram and verifies when the respond telegram is received.
In mode CP is Server the parameter UNIT is an output parameter. The FB
copies this value from the request telegram to the respond telegram. The
output is set with the received value when the job is finished without error.
4-8
Example:
Parameterisation
of the Memory
Areas

SERVER_CLIENT Server
DB_1 W#16#A (10)
START_1 W#16#1 (1)
END_1 W#16#8 (8)
WRITE_ PROTECT1 FALSE
DB_2 W#16#B (11)
START_2 W#16#B (11)
END_2 W#16#11 (17)
WRITE_ PROTECT2 TRUE
DB_3 W#16#C (12)
START_3 W#16#64 (100)
END_3 W#16#67 (103)
WRITE_ PROTECT3 FALSE
DB_4 0
DB_5 0

DB 10

Address Name Type Comment
+0.0 Register 1 WORD read write

DB 11

+0.0 Register 11 WORD read only

DB 12

4-9
4.3 Data and Standard Functions used by the FB
Instance DB The function block MODBUS stores its data in an instance DB. This instance
DB is created by STEP7 at the first call of the FB.
The instance data block contains parameters of type Input, Output,
Input/Output as well as static variables that it needs for its execution. These
variables are non-volatile and keep its validity between FB calls. The
variables control the internal process flow of the FB.
The Instanz-DB of FB MODBUS requires 704 Byte work memory and 1070
Byte load memory.
Local Variables The FB requires 102 Bytes of local variables. Additionally AG_SEND or
AG_RECV require local variables, up to 58 bytes, depending on the used
function block. That gives a maximum of 160 Bytes of local data for a FB
MODBUS-call.
Timers The function block uses one timer to realise the monitoring time. The number
of the used timer that you want to use can be parameterised.
Flags The function block does not use any flags.
Standard FCs for
Data Transfer
The function block uses the blocks AG_SEND/AG_LSEND and
AG_RECV/AG_LRECV from the SIMATIC_NET library for the data transfer
between CPU and CP.
The following versions of the FCs are tested with FB MODBUS and released
for the communication:
S7-300: FC5 AG_SEND version 4.2
FC6 AG_RECV version 4.7
S7-400 FC50 AG_LSEND version 3.0
FC60 AG_LRECV version 3.0
SFCs for
Miscellaneous
Functions
The FB MODBUS uses the following SFCs from the standard library:
SFC6 READ_SINFO
SFC24 TEST_DB
With the SFC6 the FB checks if it was called from OB100 or OB1 and decides
this way if the initialisation part or the cyclic part should be executed.
A call of SFC24 determines, whether the DB specified in DB_x is available at
runtime and has the required length.
4-10
5 Transmission Protocol
5.1 Overview
General
Information
The protocol Open MODBUS/TCP uses the standardised TCP/IP protocol to
transfer data. The MODBUS specific data is created or verified by the FB.
The function block complies Conformance Class 0 of the MODBUS
specification.
Client/Server The PLC S7 with its CP and FB can act as both client and server.
Functionality multitasking according to the MODBUS reference is not
supported.
The client sends a request telegram to the server. The server responds
within the monitoring time. The server itself cannot initiate any data
transmission. A communication from server to server is not possible.
Function Codes Conformance Class 0 consists of the following codes:
FC3: Read register
FC16: Write Register
Protocol Structure An Open MODBUS/TCP telegram starts with a header. This header is
identical for request and response telegrams and consists of 6 bytes.
The 6 bytes of the header are defined as follows:
Byte 0 : Transaction Identifier
Byte 1 : Transaction Identifier
Byte 2 : Protocol Identifier = 0
Byte 3 : Protocol Identifier = 0
Byte 4 : Length Specifier, High Byte = 0
Byte 5 : Length Specifier, Low Byte
Followed by:

Byte 6 : Unit Identification
Byte 7 : MODBUS Function Code
Byte 8 : first byte of Telegram Data
5-1
Transaction
Identifier
The server copies the Transaction Identifier from the request telegram to the
response telegram according to the MODBUS specification.
With a TI changed cyclically it is possible to have a firm correlation of
request and respond telegrams. We recommend using a TI, which is
incremented with every telegram sequence.
In the operating mode CP is Client the received transaction identifier is
compared to the one sent. If differences appear, the active request is ended
with an error.
In the operating mode CP is Server the received transaction identifier is
copied to the response telegram.
Protocol Identifier The protocol identifier must always be 0. The FB sets the protocol identifier
in the request telegram to 0. When a telegram is received, the protocol
identifier is checked for the value 0. A value other than 0 creates an error
message.
Length Field The length specifier in the length field defines the data length of the telegram
without the Header (starting with byte 6). Thus the end of the telegram is
determined. The following telegram lengths are allowed for request and
response telegrams for read and write functions:

Request Response
Read 6 3 or 5 to 253
Write 9 to 207 3 or 6
Unit Identifier The parameter UNIT identifies a remote slave connected on a serial line or
on other buses. It is used for intra-system routing purposes.
With MODBUS/TCP the parameter UNIT is copied from the request to the
respond telegram. The Master verifies that the UNIT of the received
telegram is identical to the one in the telegram sent.
Function Code The function code describes the function of the telegram. The structure of the
telegram data depends on the function code.
Interpretation der
MODBUS
Registeradressen
MODBUS bases its data model on a series of tables, which have
distinguishing characteristics. The distinction between these memory areas is
done via the register address by some systems, e.g. MODICON PLCs. So a
MODBUS message requesting the reas of a register at offset 0 would retrund
the value known to the application programmer as found in register 40001
(memory type 4xxxx, reference 0001).
One potential source of confusion is the varying interpretation of the register
address in different manuals. Sometimes the register address means the
address of the application layer, sometimes the address transferred.
The FB MODBUS uses the register address transferred at its parameters
START_x und START_ADDRESS. So it is possible to use register addresses
from von 0000
H
bis FFFF
H
with each function code.
5-2
5.2 Function Code 03
General
Information
With the function code multiple registers can be read. The request telegram
contains UNIT, the function code, the start address of the registers and the
number of registers to be read.
The response telegram contains UNIT, the function code, the byte count for
the following data as well as the contents of the registers that were read. In
case of an error, the response can be an exception code telegram.
An open MODBUS/TCP specific header precedes the telegram structure that
is shown below.
Request Telegram Byte 0: Unit Identifier
Byte 1: Function Code = 03
Byte 2: Register Start Address, High Byte
Byte 3: Register Start Address, Low order Byte
Byte 4: Number of Registers, High Byte = 0
Byte 5: Number of Registers, Low Byte
Response
Telegram
Byte 0: Unit Identifier
Byte 2: Byte count
Byte 3 to ( 2 * number of registers +2 ): Register Values
5-3
5.3 Function Code 16
General With function code 16 multiple registers can be written. The request telegram
contains UNIT, the function code, the start address of the registers, the byte
count and the values to be written.
The response telegram contains UNIT, the function code, the start address of
the registers and the number of registers written. In case of an error, the
response can be an exception code telegram.
The open MODBUS/TCP specific header precedes the telegram structure
shown below.
Request Telegram Byte 0: Unit Identification
H

Byte 3: Register Start Address, Low Byte
Byte 6: Byte Count
Byte 7 to ( 2 * number of words + 2 ): Register values
Response
Telegram
Byte 0: Unit Identification
H

Byte 3: Register Start Address, Low Byte
5-4
5.4 Exception Code Telegram
General
Information
For certain errors the server responds with an exception code telegram.
Telegram
Structure
The exception code telegram contains UNIT, the function code in which Bit 2
7
is set and the exception code.
The open MODBUS/TCP specific header precedes the telegram structure
shown below.
Byte 0: Unit Identification
Byte 1: Function Code + 80
H

Byte 2: Exception Code

Exception
Code
According to
MODBUS
specification
Reason
01 Illegal Function function code not defined
02 Illegal Data Address FC16: Access to write
protected area
DB does not exist
Not all the data are located in
the same DB
Number of registers is too
high

5.5 Further Sources of Information
Please find further information on the Open MODBUS/TCP protocol in the
document listed in appendix A.
5-5
Diagnostics
6 Diagnostics
Diagnostic
Function
The diagnostic functions of the CP 343/ CP 443 allow you a fast failure
localisation. The following diagnostic features are available:
Diagnostics via the display elements of the CP
Diagnostics via the STATUS output of the MODBUS function block.
Display Elements
(LED)
The display elements inform you about the operating mode or about the
failure conditions of the CP. The display elements give you an overview of
internal failures, external failures and interface specific failures.
STATUS Output of
the MODBUS FB
For error diagnostics, the MODBUS function block has a STATUS output. By
reading the STATUS output you get a general indication of failures, that have
occurred during the communication. The STATUS parameter can be
evaluated in the users program.
6.1 Diagnostics via the Display Elements of the CP
Display Functions The display elements of the CP give you information on the module status.
There are two types of display functions:
Group Error Displays

- INTF Internal failure
- EXTF External failure
Special Displays

CP 343-1:
- RX/TX A telegram is being transmitted via the interface.

CP 443-1:
- TXD A telegram is being sent via the interface.
- RXD A telegram is being received via the interface.
A detailed description of the display elements can be found in the device
manual of the CP.
6-1
Diagnostics
6.2 Verification by the FB MODBUS
During start up Parameter group DB_x, STAT_x, END_x. (x 1 to 5)
1. With DB_x = 0 the register area is disabled and not verified
further. At least one area must be enabled.
2. Test END_x >= START_x
3. Register addresses that are defined in two DB_x lead to an
error message (register overlap).
Evaluation of the monitoring time MONITOR
CP is Server:
UNIT is within the allowed range of values
Errors during start up provoke the ERROR bit to remain set. In the cyclical
operation no requests are executed. A correction of the parameterisation and
a STOP RUN transition of the CPU is necessary.
Cyclical Operation
CP is Client
Verification when the FB is called:
Range of values START_ADRESS
Range of values LENGTH
At the execution of a request, it is checked whether the data block
that is specified by the register address is available and has the
necessary length.
Receipt of the response telegram within the monitoring time.
The monitoring time can also elapse if less data than specified in the
MODBUS telegram header is received. Subsequent failures with loss
of telegrams can occur.
Verification in the response telegram:
Received transaction identifier is equal to the sent one
Protocol identifier = 0
Length is between 3 and 253
Besides the length in the header of the response telegram is checked
for plausibility regarding the request.
UNIT sent is equal to the received one.
6-2
Diagnostics
FC sent is equal to the received one
Response is an Exception Code Telegram
For read requests, the number of registers in the request telegram,
length in the header and byte count in the telegram must match.
For write requests it is verified that start address and number of
registers match with the request telegram.

Cyclical Operation
CP is Server
Receipt of the second part of the request telegram within the
monitoring time.
The monitoring time also can elapse if less data than specified in the
MODBUS telegram header is received. Subsequent failures can
occur with loss of telegrams.
Protocol Identifier = 0
Length between 6 and 207
Additional the length in the header of the response telegram is
checked for plausibility regarding the telegram data.
Received FC is verified. If the FC is not equal to 03 or 16 an
exception telegram is sent.
For write requests, the length in the header, the number of registers
and the byte count in the telegram must match.
The number of registers is verified. If the number is too large an
exception telegram is sent.
Access to write protected area: Send exception telegram.
At the execution of a request, it is checked whether the data block
that is specified by the register address is present and has the
necessary length. In case of an error an exception telegram is sent.

6-3
Diagnostics
Lost
Synchronisation
The lost synchronisation described below can only occur when the
communication partner has extreme malfunctions or there are serious
interferences on the transmission line.
In order to read a MODBUS specific telegram header, the function block
MODBUS starts an AG_RECV with 6 bytes length. With the length in the
telegram header another AG_RECV is started. If the length in the telegram
header is not equal to the actual number of bytes sent to the CP (which is a
serious failure), the CP resolves this situation as follows:
1. More data as specified in the header is received:
The next AG_RECV gets data that are not compliant with the
MODBUS specific header. This leads to after effects like wrong TI or
PI, data is interpreted as a length specification, the length used by
FB/AG_RECV is wrong.
2. Less data as specified in the header is received:
The activated AG_RECV returns no ready signal and the monitoring
time MONITOR elapses. The activated AG_RECV has only received
a part of the data, therefore it is still in the receiving state. This
AG_RECV cannot be cancelled. More data has to be revived in order
to be synchronized again.
In operating mode CP is client the request of the FB MODBUS is
cancelled with ERROR. Another FB request can be activated. The
response data is received with the old AG_RECV. Receiving must
continue until the expected amount of data has been received.
Multiple requests, which all end with the status monitoring time
elapsed, might be necessary to regain synchronisation.
In the operating mode CP is server the expected amount of data
must be reached with request telegrams of the client. Multiple error
messages No response from server might occur at the client.
When the old AG_RECV ends, the FB reads a single byte in order to
receive a possible telegram fragment from the CP. The reading is
observed with the monitoring time MONITOR as well. When the
monitoring time elapses it is assumed that the synchronisation has
been regained. The normal operation of the FB MODBUS is
continued.
3. The announced amount of data does not match the request telegram
(CP is client):
The FB MODBUS receives the announced amount of data and
ignores it. ERROR and STATUS return an error code.
The above mentioned function of the FB is necessary because neither the
TCP/IP connection nor the activated AG_RECV can be cancelled.
When the FB recognises a lost synchronisation by a not finished AG_RECV
an additional error number is used.
6-4
Diagnostics
6.3 Diagnostic Messages of the FB MODBUS
Messages at the
STATUS Output of
the FB
The error messages are displayed at the status output of the FB MODBUS.
STATUS is valid when ERROR is TRUE. Below you will find a list of FB
specific error messages.
Error Messages of
the called SFCs
and FCs
The FB MODBUS uses the standard functions SFC6, SFC24, FC5 and FC6.
The error messages of these blocks are passed on without any changes.
In the diagnostics buffer or in the online help of SIMATIC Manager you will
find further details on these error messages, as well as in the SIMATIC
STEP7 NCM S7 Industrial Ethernet Manual.
Error messages of FB MODBUS
STATUS
(Hex)
Event text Remedy
A002 The parameter END_x is less than START_x. Correct the parameterisation
A003 The DB, to which MODBUS addresses shall be
mapped, is too short.
Minimum length: ( END_x START_x + 1 ) 2
Other possible reasons:
Wrong initialisation parameter (CP is client)
Wrong address area in the request telegram of
the client (CP is server)
Extend the DB.
CP is Client: Correct the
initialisation parameters
START_ADDRESS or LENGTH

CP is Server:
Modify the request of the client.
A005 CP is Client:
An invalid value for the parameter LENGTH is given.
CP is Server:
The number of registers in the request telegram is
invalid.
Range of values: 1 to 125 for read, 1 to 100 for write.
CP is Client:
Correct the parameter LENGTH.
CP is Server:
Modify the number of registers in
the request telegram.
A006 The given range of registers does not exist in DB_1 to
DB_5.
CP is Client:
Correct the parameters
combination START_ADDRESS,
LENGTH.
CP is Server:
Modify the request of the client or
correct the parameterisation of
DB_x.
A007 An invalid monitoring time MONITOR is
parameterised. Range of values: 1 to 999
Correct the parameterisation.
A008 Monitoring time MONITOR elapsed when AG_RECV
waits for receipt.
As an after effect the loss of synchronisation can
occur, which leads to a loss of telegrams.
E.g. connection is not
established. Partner is not ready.

6-5
Diagnostics
Error messages FB MODBUS
STATUS
(Hex)
Event text Remedy
A009 A Protocol Identifier not equal to 0 was received,
or if CP is client:
The received transaction identifier TI is not equal to the
sent one.
This error can also indicate a unsuccessful attempt for
synchronisation.
Verify the data of the
communication partner with the
help of a telegram trace.
CP is server:
Ensure that the parameterised
monitoring time MONITOR is
shorter than the monitoring time
MONITOR of the client. This is
necessary to remove corrupted
data from the CP.
A00A CP is client:
The received UNIT is not equal to the sent one.
A00B CP is client:
Received function code is not equal to the sent one.
CP is server:
An invalid Function Code was received.
CP is client:
CP is Server :
The FB supports only the function
codes 03 and 16
A00C The received byte count does not match the number of
registers.
A00D The register address in the response telegram is not
equal to the one in the request telegram (only if CP is
client).
A00E The length indicated in the MODBUS specific telegram
header does not match the number of registers or the
byte count in the telegram. The FB receives all data
and ignores them. As an after effect a loss of
synchronisation might occur.
A00F CP is server
Attempt to write on a write protected area.
Modify the request of the client or
correct the parameterisation.
A010 The parameterised area DB_1 to DB_5 a DB number
is used twice.
A01A Corrupted data or wrong length in header:
Byte 4 of the prefix is not equal to 0
A01B An exception telegram with exception code 1 was
received (only if CP is client)
The communication partner does
not support the requested
function.
A01C An exception telegram with exception code 2 was
received (only if CP is client)
An attempt to an invalid or non
existing address at the
communication partner was made
or not all data are located in the
same DB. Correct LENGTH or
START_ADDRESS at the call of
the FB.

6-6
Diagnostics

Error messages the FB MODBUS
STATUS
(Hex)
Event text Remedy
A01D
An exception telegram with an unknown exception
code was received (only if CP is client).
Check the error message of the
communication partner and verify
the data with a telegram trace if
needed.
A01E
The CP has received invalid data which could not be
assigned. The CP has lost synchronisation and needs
data from the communication partner to finish the
active AG_RECV.
Check the error message of the
communication partner and verify
the data with a telegram trace if
needed.
A012
The parameterised DB_1 and DB_2 overlap.
A013
A014
A015
A023
The parameterised DB_2 and DB_3 overlap..
A024
A025
A034
A035
A045
The data areas must not contain
any overlapping register areas.

6-7
Diagnostics
6.4 Diagnostic Messages of included FCs/SFCs
Error messages of included FCs/SFCs
STATUS
(Hex)
Event text Remedy
7xxx For detailled informations please refer to the online
help of SIMATIC Manager.
See online help (SIMATIC
manager -> mark block -> key F1
> Ethernet -> see also -> code
evaluation )
8xxx For detailled informations please refer to the online
help of SIMATIC Manager.
See online help (SIMATIC
manager -> mark block -> key F1
> Ethernet -> see also -> code
evaluation )
6.5 Diagnostic Messages of SFC24
Error messages of SFC24
STATUS
(Hex)
Event text Remedy
80A1 DB Number = 0 or too large for the CPU
Choose a valid DB number.
80B1 The DB does not exist in the CPU.
All data blocks that are specified
in DB_x must be created and
copied into the CPU.
80B2 DB UNLINKED
DB must not be created as
UNLINKED.

6-8
Application Sample
7 Application Sample
General Information The following simple programming example illustrates the use of FB MODBUS.
The S7 program is for information purposes only and is not to be understood as
a solution for a customer specific installation configuration.

The programming example consists of:
Start-Up OB100, FB200
Cyclic program processing OB1 with call of FB 100
Work-DB for job trigger e.g. with variable table
Data blocks for register values

Used Blocks The following blocks are used in the programming example.

Block Symbol Comment

OB 1 Cyclic program processing
OB 100 Start-Up OB for Re-Start

FB 200 FB INITIATE_MODBUS for Start-Up
FB 100 FB MODBUS

DB 100 Instance-DB for FB MODBUS
DB 200 Instance-DB for FB INITIATE_MODBUS
DB 222 Work-DB "CONTROL DAT"
for FB MODBUS, FB INITIATE_MODBUS
DB 11 Register -DB for memory area 1

Used Data The following operands (memory bits, data bits or data words) have been used in the
programming example.

Operand Type Name
T 5 TIMER unattached TIMER
DB222.DBW 0 INT "CONTROL DAT".ID
DB222.DBW 2 WORD "CONTROL DAT".LADDR
DB222.DBB 4 INT "CONTROL DAT".RESERVED1
DB222.DBW 6 INT "CONTROL DAT".MONITOR

7-1
Application Sample

Operand Type Name
DB222.DBW 8 WORD "CONTROL DAT". DB_1
DB222.DBW 10 WORD "CONTROL DAT". START_1
DB222.DBW 12 WORD "CONTROL DAT". END_1
DB222.DBX 38.0 BOOL "CONTROL DAT".WRITE_PROTECT1
DB222.DBX 38.5 BOOL "CONTROL DAT". ENQ_ENR
DB222.DBX 38.6 BOOL "CONTROL DAT".SERVER_CLIENT
DB222.DBW 39 BYTE "CONTROL DAT".RESERVED2
DB222.DBX 40.0 BOOL "CONTROL DAT".DONE_NDR
DB222.DBX 40.1 BOOL "CONTROL DAT".ERROR
DB222.DBW 42 WORD "CONTROL DAT".STATUS
DB222.DBW 44 WORD "CONTROL DAT".START_ADRESS
DB222.DBW 46 WORD "CONTROL DAT".LENGTH
DB222.DBX 47.0 BOOL "CONTROL DAT".WRITE_READ
DB222.DBW 48 WORD "CONTROL DAT".TI
DB222.DBW 50 WORD "CONTROL DAT".TI

Operand Type Name
DB11.DBW 0
DB11.DBW 248
ARRAY[1..125]
WORD
"REG_BEREICH_1".DB-REG1[1]
DB12.DBW 0
DB12.DBW 248
ARRAY[1..125]
WORD
DB13.DBW 0
DB13.DBW 248
ARRAY[1..125]
WORD
DB14.DBW 0
DB14.DBW 248
ARRAY[1..125]
WORD
DB15.DBW 0
DB15.DBW 248
ARRAY[1..125]
WORD

7-2
Application Sample
7.1 Programming Example CP is Client
Programming
Example
The blocks are listed as follows:

Block Comment
OB 1 Cyclic Program Processing
OB 100 Start-Up OB for Re-start

FB 200 FB INITIATE_MODBUS for Start-up OB

DB 222 work-DB "CONTROL DAT"

Start-Up
OB100 Start-Up-OB

Call of FB 200 for initialisation of "MODBUS"

CALL "INITIATE_MODBUS" , "INITIATE DAT"

ID :=2 // from connection table
LADDR :=W#16#7FC // from HW Config
TIMER_NR :=T5 // nonattached Timer
MONITOR :=
DB_1 := W#16#B // first memory area
START_1 := W#16#1
END_1 := W#16#7D
DB_2 := W#16#C // second memory area
START_2 := W#16#7E
END_2 := W#16#FA
DB_3 := W#16#D // third memory area
START_3 := W#16#FB
END_3 := W#16#177
DB_4 := W#16#E // fourth memory area
START_4 := W#16#178
END_4 := W#16#1F4
DB_5 := W#16#F // fifth memory area
START_5 := W#16#1F5
END_5 := W#16#271
WRITE_PROTECT1 := // with CP is client
WRITE_PROTECT2 := // irrelevant
WRITE_PROTECT3 :=
WRITE_PROTECT4 :=
WRITE_PROTECT5 :=
ENQ_ENR :=FALSE // trigger bit
SERVER_CLIENT :=FALSE // CP is client

7-3
Application Sample
FB 200 "INITIATE_MODBUS"

The FB 200 copies its parameters into the DB222 to provide the user with the
opportunity to start jobs with the Variable Table.

OPN "CONTROL DAT" // DB 222
L #ID
T "CONTROL DAT".ID

L #LADDR
T "CONTROL DAT".LADDR

L #DB_1
T "CONTROL DAT".DB_1
L #START_1
T "CONTROL DAT".START_1
L #END_1
T "CONTROL DAT".END_1

L #DB_2
L #START_2
L #END_2

L #DB_3
L #START_3
L #END_3

L #DB_4
L #START_4
L #END_4

L #DB_5
L #START_5
L #END_5

A #SERVER_CLIENT
= "CONTROL DAT".SERVER_CLIENT

7-4
Application Sample
CALL "MODBUS" , "MODBUS_DAT"
ID :="CONTROL DAT".ID
LADDR :="CONTROL DAT".LADDR
TIMER_NR :=#TIMER_NR
MONITOR :=
DB_1 :="CONTROL DAT".DB_1
START_1 :="CONTROL DAT".START_1
END_1 : ="CONTROL DAT".END_1
END_2 :="CONTROL DAT".END_2
WRITE_PROTECT1 :=
WRITE_PROTECT2 :=
WRITE_PROTECT3 :=
WRITE_PROTECT4 :=
WRITE_PROTECT5 :=
ENQ_ENR :="
SERVER_CLIENT :="CONTROL DAT".SERVER_CLIENT
DONE_NDR :=
ERROR :=CONTROL DAT".ERROR
STATUS :=CONTROL DAT".STATUS
START_ADDRESS :=
LENGTH :=
WRITE_READ :=
TI :=
UNIT :=

AN "CONTROL DAT".ERROR
JC TRIG //Init completed without error

//Init completed with error
//put your error handling here
JU END

TRIG: L 1 //default values for client job
T "CONTROL DAT".UNIT

L 1
T "CONTROL DAT".START_ADDRESS

L 2
T "CONTROL DAT".LENGTH

L "CONTROL DAT".TI //TI should be incremented
L 1 //with each job
+I
T "CONTROL DAT".TI

SET
= "CONTROL DAT".WRITE_READ
7-5
Application Sample
Cyclic Program
OB1 Cyclic-OB

OPN "CONTROL DAT"

ID :=
LADDR :=
TIMER_NR :=
MONITOR :="CONTROL DAT".MONITOR
DB_1 :=
START_1 :=
END_1 :=
DB_2 :=
START_2 :=
END_2 :=
DB_3 :=
START_3 :=
END_3 :=
DB_4 :=
START_4 :=
END_4 :=
DB_5 :=
START_5 :=
END_5 :=
WRITE_PROTECT1 :=
WRITE_PROTECT2 :=
WRITE_PROTECT3 :=
WRITE_PROTECT4 :=
WRITE_PROTECT5 :=
ENQ_ENR :="CONTROL DAT".ENQ_ENR
SERVER_CLIENT :=
DONE_NDR :="CONTROL DAT".DONE_NDR
ERROR :="CONTROL DAT".ERROR
STATUS :="CONTROL DAT".STATUS
START_ADDRESS :="CONTROL DAT".START_ADDRESS
LENGTH :="CONTROL DAT".LENGTH
WRITE_READ :="CONTROL DAT".WRITE_READ
TI :="CONTROL DAT".TI
UNIT :="CONTROL DAT".UNIT

A "CONTROL DAT".ENQ_ENR
R "CONTROL DAT".ENQ_ENR //reset trigger

A "CONTROL DAT".DONE_NDR //job finished without error
JC TRIG //trigger new job

A "CONTROL DAT".ERROR //job finished with error
//put your error handling here

BEU //wait until job finished

TRIG:
L "CONTROL DAT".TI //increment TI with each job
L 1
+I
T "CONTROL DAT".TI

SET
= "CONTROL DAT".ENQ_ENR //trigger
//initialise values for a
//new job here

7-6
Application Sample
7.2 Programming Example CP is Server
Programming
Example
The blocks are listed as follows:

Baustein Kommentar
OB 1 Cyclic Program Processing
OB 100 Start-Up OB for Re-start

FB 200 FB INITIATE_MODBUS for Start-up OB

DB 222 work-DB "CONTROL DAT"

Start-Up
OB100 Start-Up-OB

Call of FB 200 for initialisation of "MODBUS"

CALL "INITIATE_MODBUS" , "INITIATE DAT"

ID :=1 // from connection table
LADDR :=W#16#100 // from HW Config
UNIT :=b#16#2 // UNIT number 2
TIMER_NR :=T5 // nonattached Timer
MONITOR :=
DB_1 := W#16#B // first memory area
START_1 := W#16#1
END_1 := W#16#7D
DB_2 := W#16#C // second memory area
START_2 := W#16#7E
END_2 := W#16#FA
DB_3 := W#16#D // third memory area
START_3 := W#16#FB
END_3 := W#16#177
DB_4 := W#16#E // fourth memory area
START_4 := W#16#178
END_4 := W#16#1F4
DB_5 := W#16#F // fifth memory area
START_5 := W#16#1F5
END_5 := W#16#271
WRITE_PROTECT1 :=FALSE
ENQ_ENR :=FALSE
SERVER_CLIENT :=TRUE //CP is server

7-7
Application Sample

FB 200 "INITIATE_MODBUS"

FB 200 copies its paramters to DB222. The user can monitor the jobs by watching
DB222 data in the variable table.

OPN "CONTROL DAT" // DB 222
L #ID
T "CONTROL DAT".ID
L #LADDR
T "CONTROL DAT".LADDR

L #DB_1
L #START_1
L #END_1
L #DB_2
L #START_2
L #END_2
L #DB_3
L #START_3
L #END_3
L #DB_4
L #START_4
L #END_4
L #DB_5
L #START_5
L #END_5
A #WRITE_PROTECT1
= "CONTROL DAT".WRITE_PROTECT1
A #WRITE_PROTECT2
A #WRITE_PROTECT3
A #WRITE_PROTECT4
A #WRITE_PROTECT5

A #SERVER_CLIENT
= "CONTROL DAT".SERVER_CLIENT

7-8
Application Sample
// Call of MODBUS FB with copied initialisation values
ID :="CONTROL DAT".ID
LADDR :="CONTROL DAT".LADDR
TIMER_NR :=#TIMER_NR
MONITOR :=
END_1 : ="CONTROL DAT".END_1
WRITE_PROTECT1 :="CONTROL DAT".WRITE_PROTECT1
ENQ_ENR :=
SERVER_CLIENT :="CONTROL DAT".SERVER_CLIENT
DONE_NDR :=
ERROR := :="CONTROL DAT".ERROR
STATUS := :="CONTROL DAT".STATUS
START_ADDRESS :=
LENGTH :=
WRITE_READ :=
TI :=
UNIT :=

A "CONTROL DAT".ERROR //INIT completed with error
JC ERR //cyclic operation doesnt
//make sense

SET //INIT completed without error
= "CONTROL DAT".ENQ_ENR //enable data transfer
JU END

ERR: //put your error handling here

7-9
Application Sample
Cyclic Program
OB1 Cyclic-OB

OPN "CONTROL DAT"


ID :=
LADDR :=
TIMER_NR :=
MONITOR :="CONTROL DAT".MONITOR
DB_1 :=
START_1 :=
END_1 :=
DB_2 :=
START_2 :=
END_2 :=
DB_3 :=
START_3 :=
END_3 :=
DB_4 :=
START_4 :=
END_4 :=
DB_5 :=
START_5 :=
END_5 :=
WRITE_PROTECT1 :=
WRITE_PROTECT2 :=
WRITE_PROTECT3 :=
WRITE_PROTECT4 :=
WRITE_PROTECT5 :=
ENQ_ENR :=CONTROL DAT".ENQ_ENR
SERVER_CLIENT :=
DONE_NDR :="CONTROL DAT".DONE_NDR
ERROR :="CONTROL DAT".ERROR
STATUS :="CONTROL DAT".STATUS
START_ADDRESS :="CONTROL DAT".START_ADDRESS
LENGTH :="CONTROL DAT".LENGTH
WRITE_READ :="CONTROL DAT".WRITE_READ
TI :="CONTROL DAT".TI
UNIT :="CONTROL DAT".UNIT

7-10

A Literature
Schneider Electric OPEN MODBUS/TCP SPECIFICATION
Release 1.0, 29 March 1999
Andy Swales
Schneider Electric

OPEN MODBUS / TCP communication via CP343-1 and 443-1 Appendix - 1

Glossary

A
Address The address identifies a physical storage location. If the address is
known, the operand stored there can be directly accessed.
Automation System An automation system is a programmable logic controller that contains
at least a CPU, different input and output devices as well as HMI
devices.
B
Block Call A block call occurs when program processing branches to the called
block
Block Parameter Block parameters are variables within multiple-use blocks, which are
replaced with actual values when the relevant block is called.
Blocks Blocks are elements of the user program which are defined by their
function, structure, or purpose. With STEP7 there are

Code blocks (FB, FC, OB, SFB, SFC)
Data blocks (DB, SDB)
User-defined data types (UDT)
C
Communications Processor Communications processors are modules for point-to-point connections
and bus connections.
Configuration The configuration is the set up of individual modules of the PLC in the
configuration table.
Connection Parameterisation The specification of a connection ID in the system function block. With
the help of a connection ID the system function blocks can
communicate between two communication points.
CPU Central processing unit of the S7 programmable logic controller with
control and arithmetic unit, memory, operating system, and interfaces to
I/O modules.
CRC Cyclic Redundancy-Check = Checksum which guarantees a high
probability of error recognition.
Cycle Time The cycle time is the time the CPU needs to execute the user program
once.
Cyclic Program Processing In cyclic program processing, the user program is executed in a
constantly repeating program loop, called a cycle.
OPEN MODBUS / TCP communication via CP343-1 and 443-1 Glossary - 1

D
Data Block (DB) These are blocks containing data and parameters with which the user
program works. Unlike all other blocks, data blocks do not contain
instructions. They are subdivided into global data blocks and instance
data blocks. The data held in the data blocks can be accessed
absolutely or symbolically. Complex data can be stored in structured
form.
Data Type Data types allow users to define how the value of a variable or constant
is to be used in the user program. They are classified into elementary
and structured data types.
Default Setting The default setting is a basic setting which is always used if no other
value is specified.
Diagnostic Buffer Every CPU has a diagnostic buffer, in which detailed information on
diagnostic events are stored in the order in which they occur.
Diagnostic Event Diagnostic events are, for example, errors on a module or system
errors in the CPU, which are caused by, say, a program error or by
operating mode transitions.
Diagnostic Functions The diagnostics functions cover the entire system diagnosis and include
detection, analysis and reporting of errors within the automation
system.
Download Downloading means loading objects (e.g. code blocks) from the
programming device into the load memory of the CPU.
F
Function Block (FB) Function blocks are components of the user program and, in
accordance with the IEC standard, are blocks with memory. The
memory for the function block is an assigned data block, a so called
instance data block. Function blocks can be parameterised but can
also be used without parameters.
H
Hardware Hardware is the term given to all the physical and technical equipment
of a PLC.
I
Instance Data Block An instance data block is a block assigned to a function block and
contains data for this special function block.
Interface Module On the interface module the physical conversion of signals takes place.
By exchanging the pluggable interface module you can adapt the
communications processor to the physical interface of the
communications partner.
Interrupt Interrupt is a name for a break of the program processing in the
processor of an automation system by an external alarm.

M
Module Modules are pluggable printed circuit boards for programmable logic
controllers
Module Parameters Module parameters are used to set the module behaviours. A
distinction is made between static and dynamic module parameters.
O
Online / Offline Online means that a data connection exists between PLC and
programming device. Offline means that no such data connection
exists.
Online Help STEP7 allows you to display contextual help texts on the screen while
working with the programming software.
Operand An operand is part of a STEP7 instruction and states with what the
processor is to do something. It can be both absolutely and symbolically
addressed.
Operating Mode The SIMATIC S7 programmable controllers have three different
operating modes: STOP, START UP and RUN. The functionality of the
CPUs vary in the individual operating modes.
Operating System of the
CPU
The operating system of the CPU organizes all functions and
operations of the CPU which are not connected to a specific control
task.
P
Parameter Parameters are values that can be assigned. A distinction is made
between block parameters and module parameters.
Parameterisation Parameterisation means setting the behaviour of a module.
Parameterisation Interface
CP 441:
Point-to-Point
Communication,
Parameter Assignment
The CP 441: Point-to-Point Communication, Parameter Assignment
parameterisation interface is used to parameterise the interface
modules of the communications processor and the driver specific
parameters. Each loadable driver extends the standard functionality
(i. e. adds more functionality).
Point-to-Point connection In a point-to-point connection the communications processor is the
interface between a PLC and a communications partner.
Procedure The execution of a data interchange operation according to a specific
protocol is called a procedure.
Process image This is a special memory area in the PLC. At the beginning of the cyclic
program, the signal states of the input modules are transferred to the
process image input table. At the end of the cyclic program, the process
image of the outputs is transferred to the output modules as output
signals.
Protocol The communications partners involved in a data interchange must
abide by fixed rules for handling and implementing the data traffic.
These rules are called protocols.

R
Rack A rack is a rail containing slots for mounting modules.
S
Software Software is the term given to all programs used on a computer system.
These include the operating system and the user programs.
START UP The operating mode START UP is active when the CPU transits from
operating mode STOP to operating mode RUN.
STEP7 STEP7 is the programming software of SIMATIC S7.
System Block System blocks differ from the other blocks in that they are already
integrated into the S7-400 system and are available for already defined
system functions. They are classified into system data blocks, system
functions, and system function blocks.
System Function (SFC) System functions are software modules without memory which are
already integrated into the operating system of the S7-CPU and can be
called by the user as required.
System Function Block (SFB) System function blocks are software modules with memory which are
already integrated into the operating system of the S7-CPU and can be
called up by the user as required.
T
Tool A tool is a piece of software, that is capable of accessing operating
system functions in a programming device.
U
Upload Uploading means loading objects (e.g. code blocks) from the load
memory of the CPU into the programming device.
User Program The user program contains all instructions and declarations for signal
processing, by means of which a system or a process can be
controlled. The user program for SIMATIC S7 is structured and is
divided into smaller units called blocks.
V
Variable A variable is an operand (e.g. E 1.0) which can have a symbolic name
and can therefore also be addressed symbolically.
W
Work Memory The work memory is a RAM on the CPU which the processor accesses
while processing the user program.


Open Modbus TCP Siemens CP

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Open Modbus TCP Siemens CP

Uploaded by

Copyright:

Available Formats

SIMATIC

OPEN MODBUS / TCP

and SIMATIC NET

are registered trademarks of SIEMENS AG.

You might also like